Blog security

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
3/18/2014 5:47:05 PM
Gravatar
Total Posts 1188
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Blog security

Hi Joe, I have an issue with blog security--a user reported that she can create blog posts, but is not able to edit previous posts.

In the blog's feature instance, in "Roles that can edit content," the main radio button is set to "Administrators, Content Administrators, and roles selected below are allowed". We have a custom security role that is checked here as well.

A user in that custom role can create blog posts, but is not able to edit existing blog posts.

I checked the page settings, and in the edit permissions, only the "Administrators, Content Administrators, and roles selected below are allowed" radio button is selected. I also tried adding the custom role to this permission list, but that didn't make any difference other than giving the user the ability to edit the page features, which is definitely not what we want.

I attempted to replicate this on demo.mojoportal.com, but it actually seems worse there: I created a new security role, then assigned a new user to that role, and granted the role the ability to edit content on the existing blog. When I sign in as the test user, the add post link isn't presented to the user at all. I'm not sure if there is an extra layer of security in demo that's interfering with this?

We're running 2.3.9.9 in production, but I just upgraded dev to the latest repository revision and still see the same behavior there.

Thanks,

Jamie

3/18/2014 6:05:15 PM
Gravatar
Total Posts 18444

Re: Blog security

Hi Jamie,

As I recall this was needed to support multiple users who can only edit their own posts within the same blog instance. So only admins and content admins can edit posts that they did not author.

However if you prefer the previous behavior you can add this to user.config

<add key="Blog:SecurePostsByUser" value="false" />

Hope that helps,,

Joe

3/19/2014 9:40:02 AM
Gravatar
Total Posts 1188
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: Blog security

Thanks Joe! Somehow that change slipped by me. I agree doing it this way makes much better sense from a security standpoint, so I'll let the user know.

You must sign in to post in the forums. This thread is closed to new posts.